Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,800
Maven
5,000+
npm
4,426
NuGet
773
pip
4,199
Pub
12
RubyGems
968
Rust
1,086
Swift
47
Unreviewed advisories
All unreviewed
5,000+

25,328 advisories

Loading
Anthropic's MCP TypeScript SDK has a ReDoS vulnerability High
CVE-2026-0621 was published for @modelcontextprotocol/sdk (npm) Jan 5, 2026
Clashsoft
Credited to Clashsoft
evershop allows unauthenticated attackers to force server to initiate HTTP request via "GET /images" API Moderate
CVE-2025-67427 was published for @evershop/evershop (npm) Jan 5, 2026
evershop allows unauthenticated attackers to exhaust application server's resources via "GET /images" API High
CVE-2025-67419 was published for @evershop/evershop (npm) Jan 5, 2026
Harvest May Expose OS Default SSH Login Password Via SUSE Virtualization Interactive Installer Critical
CVE-2025-62877 was published for github.com/harvester/harvester-installer (Go) Jan 5, 2026
Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read High
CVE-2026-21857 was published for redaxo/source (Composer) Jan 5, 2026
lukasz-rybak
Credited to lukasz-rybak
ERC7984ERC20Wrapper: once a wrapper is filled, subsequent wrap requests do not revert and result in loss of funds. Moderate
GHSA-hqf9-8xv5-x8xw was published for @openzeppelin/confidential-contracts (npm) Jan 5, 2026
gix-date can create non-utf8 string with `TimeBuf::as_str` Moderate
GHSA-6mw6-mj76-grwc was published for gix-date (Rust) Jan 5, 2026
Sliver Vulnerable to Pre-Auth Memory Exhaustion via NoEncoder Bypass Moderate
GHSA-hjr9-wj7v-7hv8 was published for github.com/bishopfox/sliver (Go) Jan 5, 2026
0xkato
Credited to 0xkato
badkeys vulnerable to ASCII control character injection on console via malformed input Low
CVE-2026-21439 was published for badkeys (pip) Jan 5, 2026
hannob
Credited to hannob
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior High
CVE-2025-68455 was published for craftcms/cms (Composer) Jan 5, 2026
chutchut
Credited to chutchut
Unauthenticated Craft CMS users can trigger a database backup High
CVE-2025-68456 was published for craftcms/cms (Composer) Jan 5, 2026
h4x0r-dz
Credited to h4x0r-dz
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI Moderate
CVE-2025-68454 was published for craftcms/cms (Composer) Jan 5, 2026
RajChowdhury240 rlarabee
Credited to RajChowdhury240 and rlarabee
Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation Moderate
CVE-2025-68437 was published for craftcms/cms (Composer) Jan 5, 2026
mHe4am
Credited to mHe4am
Craft CMS vulnerable to potential information disclosure via unchecked asset relocation Moderate
CVE-2025-68436 was published for craftcms/cms (Composer) Jan 5, 2026
z3rco
Credited to z3rco
jsPDF has Local File Inclusion/Path Traversal vulnerability Critical
CVE-2025-68428 was published for jspdf (npm) Jan 5, 2026
kilkat
Credited to kilkat
Apache SIS has Improper Restriction of XML External Entity Reference vulnerability Moderate
CVE-2025-68280 was published for org.apache.sis.core:sis-metadata (Maven) Jan 5, 2026
flagd: Multiple Go Runtime CVEs Impact Security and Availability High
GHSA-4c5f-9mj4-m247 was published for github.com/open-feature/flagd/core (Go) Jan 5, 2026
pramod-ahire
Credited to pramod-ahire
MessagePack for Java Vulnerable to Remote DoS via Malicious EXT Payload Allocation High
CVE-2026-21452 was published for org.msgpack:msgpack-core (Maven) Jan 5, 2026
HyperPS
Credited to HyperPS
Apache Kyuubi Server vulnerable to Path Traversal High
CVE-2025-66518 was published for org.apache.kyuubi:kyuubi-server_2.12 (Maven) Jan 5, 2026
Vaadin vulnerable to Cross-site Scripting Moderate
CVE-2025-15022 was published for com.vaadin:vaadin (Maven) Jan 5, 2026
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover Moderate
CVE-2026-21483 was published for github.com/knadh/listmonk (Go) Jan 2, 2026
PlayerIUnknown
Credited to PlayerIUnknown
Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users High
CVE-2026-21449 was published for bagisto/bagisto (Composer) Jan 2, 2026
Bagisto has IDOR in Customer Order Reorder Functionality High
CVE-2026-21447 was published for bagisto/bagisto (Composer) Jan 2, 2026
DenizParlak
Credited to DenizParlak
Bagisto has Normal & Blind SSTI from low-privilege user when ordering product High
CVE-2026-21448 was published for bagisto/bagisto (Composer) Jan 2, 2026
Bagisto SSTI vulnerability in type parameter can lead to RCE High
CVE-2026-21450 was published for bagisto/bagisto (Composer) Jan 2, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database